fix: implement cel context lib correctly (#11983)

* fix: implement cel context lib correctly Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> * more changes Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com> --------- Signed-off-by: Charles-Edouard Brétéché <charles.edouard@nirmata.com>
2025-03-06 16:06:56 +00:00 · 2025-01-23 12:02:33 +01:00 · 2025-01-23 12:02:33 +01:00 · 144bf436ed
commit 144bf436ed
parent e481ec4231
6 changed files with 92 additions and 6 deletions
--- a/pkg/cel/engine/engine.go
+++ b/pkg/cel/engine/engine.go
@ -74,7 +74,7 @@ func (e *engine) Handle(ctx context.Context, request EngineRequest) (EngineRespo

 func (e *engine) handlePolicy(ctx context.Context, policy CompiledPolicy, resource *unstructured.Unstructured, namespace *unstructured.Unstructured) PolicyResponse {
 	var rules []engineapi.RuleResponse
-	results, err := policy.CompiledPolicy.Evaluate(ctx, resource, namespace)
+	results, err := policy.CompiledPolicy.Evaluate(ctx, resource, namespace, nil)
 	// TODO: error is about match conditions here ?
 	if err != nil {
 		rules = handlers.WithResponses(engineapi.RuleError("evaluation", engineapi.Validation, "failed to load context", err, nil))
--- a/pkg/cel/libs/context/impl_test.go
+++ b/pkg/cel/libs/context/impl_test.go
@ -0,0 +1,49 @@
+package context
+
+import (
+	"testing"
+
+	"github.com/google/cel-go/cel"
+	"github.com/stretchr/testify/assert"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+)
+
+type ctx struct {
+	GetConfigMapFunc func(string, string) (unstructured.Unstructured, error)
+}
+
+func (mock *ctx) GetConfigMap(ns string, n string) (unstructured.Unstructured, error) {
+	return mock.GetConfigMapFunc(ns, n)
+}
+
+func Test_impl_get_configmap_string_string(t *testing.T) {
+	opts := Lib()
+	base, err := cel.NewEnv(opts)
+	assert.NoError(t, err)
+	assert.NotNil(t, base)
+	options := []cel.EnvOption{
+		cel.Variable("context", ContextType),
+	}
+	env, err := base.Extend(options...)
+	assert.NoError(t, err)
+	assert.NotNil(t, env)
+	ast, issues := env.Compile(`context.GetConfigMap("foo","bar")`)
+	assert.Nil(t, issues)
+	assert.NotNil(t, ast)
+	prog, err := env.Program(ast)
+	assert.NoError(t, err)
+	assert.NotNil(t, prog)
+	called := false
+	data := map[string]any{
+		"context": Context{&ctx{
+			GetConfigMapFunc: func(string, string) (unstructured.Unstructured, error) {
+				called = true
+				return unstructured.Unstructured{}, nil
+			},
+		}},
+	}
+	out, _, err := prog.Eval(data)
+	assert.NoError(t, err)
+	assert.NotNil(t, out)
+	assert.True(t, called)
+}
--- a/pkg/cel/libs/context/lib.go
+++ b/pkg/cel/libs/context/lib.go
@ -1,10 +1,15 @@
 package context

 import (
+	"reflect"
+
 	"github.com/google/cel-go/cel"
 	"github.com/google/cel-go/common/types"
+	"github.com/google/cel-go/ext"
 )

+const libraryName = "kyverno.context"
+
 type lib struct{}

 func Lib() cel.EnvOption {
@ -13,11 +18,12 @@ func Lib() cel.EnvOption {
 }

 func (*lib) LibraryName() string {
-	return "kyverno.context"
+	return libraryName
 }

 func (c *lib) CompileOptions() []cel.EnvOption {
 	return []cel.EnvOption{
+		ext.NativeTypes(reflect.TypeFor[Context]()),
 		c.extendEnv,
 	}
 }
--- a/pkg/cel/libs/context/lib_test.go
+++ b/pkg/cel/libs/context/lib_test.go
@ -0,0 +1,20 @@
+package context
+
+import (
+	"testing"
+
+	"github.com/google/cel-go/cel"
+	"github.com/stretchr/testify/assert"
+)
+
+func TestLib(t *testing.T) {
+	opts := Lib()
+	env, err := cel.NewEnv(opts)
+	assert.NoError(t, err)
+	assert.NotNil(t, env)
+}
+
+func Test_lib_LibraryName(t *testing.T) {
+	var l lib
+	assert.Equal(t, libraryName, l.LibraryName())
+}
--- a/pkg/cel/libs/context/types.go
+++ b/pkg/cel/libs/context/types.go
@ -5,8 +5,12 @@ import (
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 )

-var ContextType = types.NewObjectType("context.Context")
+var ContextType = types.NewOpaqueType("context.Context")

-type Context interface {
+type ContextInterface interface {
 	GetConfigMap(string, string) (unstructured.Unstructured, error)
 }
+
+type Context struct {
+	ContextInterface
+}
--- a/pkg/cel/policy/policy.go
+++ b/pkg/cel/policy/policy.go
@ -6,6 +6,7 @@ import (
 	"github.com/google/cel-go/cel"
 	"github.com/google/cel-go/common/types"
 	"github.com/google/cel-go/common/types/ref"
+	contextlib "github.com/kyverno/kyverno/pkg/cel/libs/context"
 	"github.com/kyverno/kyverno/pkg/cel/utils"
 	"go.uber.org/multierr"
 	admissionregistrationv1 "k8s.io/api/admissionregistration/v1"
@ -24,7 +25,7 @@ type EvaluationResult struct {
 }

 type CompiledPolicy interface {
-	Evaluate(context.Context, resource, namespace) ([]EvaluationResult, error)
+	Evaluate(context.Context, resource, namespace, contextlib.ContextInterface) ([]EvaluationResult, error)
 }

 type compiledPolicy struct {
@ -35,7 +36,12 @@ type compiledPolicy struct {
 	auditAnnotations map[string]cel.Program
 }

-func (p *compiledPolicy) Evaluate(ctx context.Context, resource resource, namespace namespace) ([]EvaluationResult, error) {
+func (p *compiledPolicy) Evaluate(
+	ctx context.Context,
+	resource resource,
+	namespace namespace,
+	context contextlib.ContextInterface,
+) ([]EvaluationResult, error) {
 	match, err := p.match(ctx, resource, namespace)
 	if err != nil {
 		return nil, err
@ -52,6 +58,7 @@ func (p *compiledPolicy) Evaluate(ctx context.Context, resource resource, namesp
 		NamespaceObjectKey: nsData,
 		ObjectKey:          resource.UnstructuredContent(),
 		VariablesKey:       vars,
+		ContextKey:         contextlib.Context{ContextInterface: context},
 	}
 	for name, variable := range p.variables {
 		vars.Append(name, func(*lazy.MapValue) ref.Val {